Posted
by
Unknown Lamer
on Wednesday January 15, 2014 @12:36PM
from the spin-up-an-extortion-image dept.

An anonymous reader writes "The United States is the leading malware hosting nation, with 44 percent of all malware hosted domestically, according to Solutionary. The U.S. hosts approximately 5 times more malware than the second-leading malware-hosting nation, Germany, which is responsible for 9 percent of the detected malware. The cloud is allowing malware distributors to create, host and remove websites rapidly, and major hosting providers such as Amazon, GoDaddy and Google have made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems."

we host the most sites, but all the big hacks and l337 hax0rz are from other countries. just shows to go ya, we have lost the innovation edge in the US, outclassed by WhateverStan. I am so embarassed...

Amazon, with its immense resources, should be one of the cleanest hosts on
the planet. They can afford, using their spare change, to staff a 24x7 abuse desk
with very senior people. The budgetary impact wouldn't even be a blip. And with
the right people, suitably empowered, they could keep their operation nearly free of
malware, phishing, spam, and other forms of abuse. They're far better positioned
to do this than many smaller operations, who couldn't possibly afford it.

But they haven't. Why not? Is it because they don't know? Unlikely. Of course
they know. Is it because they don't know how to address it? Equally unlikely.
Of course they do. They have some smart people on staff. No, they know what
the problem is AND they know how to fix it.

They just don't want to.

Because even as (relatively) small as those costs would be, it's still cheaper for
them to externalize them to the entire rest of the Internet, and let all of us deal with it.
So rather than taking professional responsibility for their own operation, they've decided
to just blow it off. After all: who's going to make them?

I would say the same about GoDaddy, but it's not true. They actively support,
encourage, and endorse spam, malware, phishing and every other form of abuse.
They have from the beginning, only their method of lying about it has changed.
(And don't forget GoDaddy's own history of self-promoting spam.) But once
again: who's going to make them do anything differently?

Until operations are held accountable for their actions -- which is something
that we USED to do on this network, a long time ago -- most won't bother.
And that is, in large part, why problems like spam and phishing and malware
are epidemic.

You just upload and your malware is ready to be linked to millions with no maintenance on your part. Also keeps you from exposing yourself by hosting on your own server. Also makes it trivial to migrate to a new domain when you get shut down. All you have to do is upload the same template to a new host. And it won't get bogged down even if you had hundreds of domains(hopefully).

Have you ever used AWS? You set up an instance, configure it and install your malware distribution app, save a snapshot in working state, and then share the AMI with as many accounts as you can create. One goes down, the next goes up, all within geographically distributed load balancers. I would imagine if you have enough AWS accounts you could keep a large enough pool to avoid detection at all. Hell, they even offer CLI tools that can do most if not all of this from a script.

There are a large number of reasonably well-understood methods for dealing with this.

First, you have a working RFC 2142 role account address: abuse@ your domain.
You pay attention to what shows up there. You reply promptly. You engage. After
all, if someone is doing your job for you and doing it on THEIR dime, the least you
can do is take advantage of it. Moreover, if you manage to do this reasonably well,
word will get out, you'll earn the respect of your peers, and they will reward you with
more reports -- again, doing your work for you for free.

Worth noting is that Amazon makes it nearly impossible to communicate with their
abuse desk and fails to respond to reports in any way, let alone a timely one. And it's
well known that GoDaddy frequently forwards them to the abusers.

Second, you pay attention to netflows. If a virtual host instance is opening up TCP
connections on port 25 to a kazillion hosts/hour, then it's spamming. Any kind of
perfunctory monitoring will spot this and a hundred other similar things in real time.

Third, you pay attention to who's behind the incidents. If you don't, then they'll
just sign up over and over and over again. So you work to avoid that, by looking
at the who, what, where, when patterns -- and you ban repeat offenders. This
isn't watertight, of course -- but it doesn't need to be. If you raise the bar high
enough, they'll just go somewhere else, which reduces your workload and lets
you focus more tightly on what's left.

Fourth, you look at usage patterns. Most web sites do NOT display global
usage patterns, particularly those which are connected to a domain registered
yesterday. (Think about it.) If you observe that, then something's up: it might
be legitimate. It's almost certainly not. The same thing applies to other
services and other protocols.

Fifth, if you're Amazon, you have a highly paid legal staff. Use them. Smack
the crap out of a few particulaly egregious offenders in court. Make it noisy so
that everyone else knows you're doing it. Again, this doesn't have to be watertight;
it just has to discourage miscreants.

Finally (and I'm stopping here for brevity, there's a lot more), do all this publicly.
Encourage your peers to do the same. Challenge them. Raise the collective
bar, not just your own. Cooperate with your competitors.

All of this costs money. Not a stupid amount of money, but it does cost.
Which is why it almost never gets done (see previous post).

It used to be that malware ran on cracked residential PCs, because there were lots of them around and they were much easier targets. But these days the place to be is renting cloud servers with stolen credit cards, and if they're good enough to pass initial validation you're probably golden for a month, or at least until your malware site gets caught. That's plenty long enough to steal some more credit cards, if you're a professional malware practitioner. And it's harder to get caught if you can fire up

You can get in and out of a lot of providers with a credit card or less. No one wants to be the first to use a secondary auth to protect integrity. Worse: providers like Tumblr use Amazon storage as back-fill and more. So does Amazon police Tumblr?

I believe your accusations against GoDaddy might be libel or worse; they're not actively seeking to do what you accuse them of, but they're not inhiibiting it, either. IANAL, but you might consider that they might be

Of course they make money. Plain and simple: never credit consipacy where sloth was the problem.

Yeah, they gain by being sloppy. But there's not a single law enforcement entity that gives a flying fleep, either. Do you see the FBI jumping in to save the day? Har. CIA? I'm ROFL. Justice Dept? ho ho ho. FTC? Huh?

But you didn't tell me: how do you know what's malware and not, so that a judge doesn't throw out a warrant or an order? And you didn't tell me: what kind of secondary auth is going to be acceptable? And you didn't tell me how they're going to police it-- parse incoming streams? Audit what are supposed to be private sites? With what? Updated with what?

Ecuador answered your question a few comments away- http://tech.slashdot.org/comments.pl?sid=4671761&cid=45967943 [slashdot.org] "
Imagine if instead of malware you attempted to host copyrighted content on Amazon or GoDaddy or whomever else. Immediate takedown of the content and people coming after you. If you host malware on the other hand, meh, as long as Amazon gets paid they can host it without getting into trouble."

Amazon, on sales of $2.98 Billion for the 12 months ending September 30, 2013, had net income of $130 million.

You say the budgetary impact wouldn't even be a blip. How about putting a hard number on it?

There's a difference between a company being big and having "immense resources" to spend on staffing "a 24x7 abuse desk with very senior people."

Generally speaking, Amazon has been happy incurring a lot of losses in their bid for world domination. You may disagree with their allocation of resources as a company but it's difficult to conclude they have immense, unallocated resources sitting by and "they just don't want to" fix the problem.

I'm curious as to what you think the solution is that would be so easy for their smart people to fix.

Amazon operates on very thin margins. This is partially because they want to give customers a good price, which means they don't make a lot of profit per sale. It is also because they reinvest their profits in their business, buying more infrastructure, that kind of thing.

They are not like Apple, just hoarding tons of cash, they don't actually have a tone of money left over.

They are not like Apple, just hoarding tons of cash, they don't actually have a tone of money left over.

Companies like Apple and Microsoft make so much money that they simply don't know what to spend it on. They hoard out of sheer necessity. Google has a similar problem, but they're a tad more creative when it comes to spending money (hence the robotic cars and other hobby projects you see coming out of that company).

Actually they horde because the bulk of that cash is stuck overseas and if they brought it back to corporate to use it would get taxed and they don't want to pay the taxes. This is why there have been pushes for repatriation taxes that would be at a lower rate than the usual 35%. But to do that would be just encouraging more tax dodging.

That argument would only work if there would be no ways to spend money outside of the US. Yet, contrary to what you (and many others from the US) seem to be thinking, there's actually a whole world out there, with plenty of opportunities to develop new business.

They can afford, using their spare change, to staff a 24x7 abuse desk with very senior people.

You think that the solution to this problem is a 24-hour abuse desk? Isn't that, by nature, a reactive solution instead of a proactive solution? This comes with the turf. When Amazon allows their customers to quickly and easily set up new virtual servers and things like that, this is going to happen. Unless they are actively scanning all files and data that go through their network to block things (and even that is not a full solution), we are going to continue to see the "cloud" malware sites. These are sites that pop up and maybe they only exist for a day or two, or a few hours, before they get shut down, but in that time they've done what they were supposed to do and once they go down another one pops up. A place that people can call to report malware is not going to solve that problem.

Amazon does control spam to at least some extent. They sent me an e-mail asking about it when one of the servers I have there started sending e-mail.

They asked me to describe my use case and set a new limit on outgoing messages.

Serving malware is probably difficult to do much about. I doubt they can directly scan servers for it (for a variety of reasons) and it would be difficult to distinguish from normal web traffic (especially if encrypted.) This probably means they need to wait for a problem before they can do something about it.

I suppose they could require more information about their customers, or include a waiting period on servers... but nobody does that, and in my opinion it would be unreasonable to require it of them.

Amazon cloud instances are a perfectly plausible place to send spam from, if you can get away with it and if it's cheaper than botnet service (and of course botnet services are just as happy to sell you compromised Amazon cloud instances instead of compromised home PCs if they have them.)

But he didn't say he tried to spam from his Amazon server and got questioned - he said he tried to send mail, and Amazon questioned them. Most virtual machines don't send mail directly, just as most residential PCs don't,

Until operations are held accountable for their actions -- which is somethingthat we USED to do on this network, a long time ago -- most won't bother.And that is, in large part, why problems like spam and phishing and malwareare epidemic.

Here you go wrong with your argument.

We DON'T want an ISP to police their network, do we? Why would an ISP have to be responsible for what users do with their network? Do you want them to police against possible copyright infringement, and block torrents, as well? Do you want them to read your messages, to make sure you don't post anything offensive on the networks?

All along we have been arguing for net neutrality. Just give us the connection, and let us decide what data we pass over that connection. And le

Amazon, with its immense resources, should be one of the cleanest hosts onthe planet. They can afford, using their spare change, to staff a 24x7 abuse deskwith very senior people. The budgetary impact wouldn't even be a blip. And withthe right people, suitably empowered, they could keep their operation nearly free ofmalware, phishing, spam, and other forms of abuse. They're far better positionedto do this than many smaller operations, who couldn't possibly afford it..

And I can't block Amazon, too much comes through their cloud.Nor can I block deploy.static.akamaitechnologies.com and a new one that's shown up sea09s01-in-f28.1e100.net both a caching services.

Foursquare, Pinterest and IMDB I occasionally ended up on following a Google search result. Etsy, PBS and Yelp I don't even know what it is. Netflix is not available here (I'm not in the US). Spotify may be interesting, getting back to following the music world again. But there must be alternatives for that as well.

Spinning this as a national issue is like saying "California has far more car accidents than Rhode Island." Of course it's true, but the US is far larger than (say) Germany, and has the largest hosting providers in the world. It would be a great surprise if the US wasn't in the lead.

So, is it your assumption that size is directly responsible for the malware? Why can't a large hosting company also institute the best protection mechanisms to reduce their malware content? GoDaddy I can see not giving a crap, but Amazon should do some proper management to reduce this problem.

So, is it your assumption that size is directly responsible for the malware? Why can't a large hosting company also institute the best protection mechanisms to reduce their malware content? GoDaddy I can see not giving a crap, but Amazon should do some proper management to reduce this problem.

Do you realize how much business they would lose if they did that?You can't just kick off all your best customers.

I agree with you, but I wonder if there is something that Amazon et al might be able to do about it. Would it be too cost/performance prohibitive to scan for known malware before a site is allowed to go live? Is that technically infeasible or are there confidentiality issues that prevent Amazon from doing that?

I mean, the whole problem is the legal framework, which is focused on dealing with the wrong issues. Imagine if instead of malware you attempted to host copyrighted content on Amazon or GoDaddy or whomever else. Immediate takedown of the content and people coming after you. If you host malware on the other hand, meh, as long as Amazon gets paid they can host it without getting into trouble.When I say it is a national issue, I don't mean it is only a US issue. It is a national issue for every country that writes the laws that corps ask for. Well, of course, it is the only country that I know off where corporate bribes are institutionalized, but that's another story.

It used to be that the US was the largest target/market for malware, but the malware itself was often running in China or Korea, and if it was running in the US it was on compromised home PCs. Now it's moved to the cloud. The Amazon part is more interesting, because it's general-purpose cloud service, as opposed to GoDaddy which specializes in hosting domain parking pages and similar malware-usable services.

Interestingly, China and India - the biggest countries in the world in population, and among the biggest in land area, are not even mentioned. India, known for it's many IT professionals, and China, evil evil China, known for it's hackers and crackers and general evilness when it comes to computer security. Nor is Russia, home to many prolific Internet criminals.

Yep. Exactly. Mine is not THE most locked down computer in the world, but nothing runs without my explicit permission. Nothing downloads without my explicit permission. Nothing comes from third party sites, without my explicit permission. It gets a little irritating sometimes. Popup reminders, asking me if I really want to permit application X to run code from site Y. But, in the long run, it's worth it. I always get the opportunity to block something that I don't think is right.

That seems to depend on your definition of "population". I think it's been established that the US hosts more of almost everything than any other country. For the population of "internet facing servers", it seems that the US may have the highest population in the world. If not, we certainly rank up there alongside the highest. Who might have more than the US?

I often interact with large companies' IT departments and the general ID is to completely block all Amazon EC2 servers to prevent spam, malware attacks and access to filter bypass services like Ultrasurf, regardless of the possibility of legitimate sites hosted on Amazon. Occasionally they'll make exceptions for port 80 but the idea is basically, "since Amazon is complicit in hosting so much malicious or nefarious crap on the internet, just block Amazon."

We blocked facebook a couple of years ago. the wailing and gnashing of teeth was everywhere.

It went away rather rapidly when we offered to open access on a per-person basis with a request, signed by management, as to what their business need for facebook was. Same with streaming radio and video sites.When your allocated bandwidth for a site is operating at a constant 80% or more, and 90% of THAT is recreational/entertainment sites something has to change. They bitched, but real business traffic began worki